73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	b2e.exe
4884	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4884	cpuminer-sse2.exe
4884	cpuminer-sse2.exe
4884	cpuminer-sse2.exe
4884	cpuminer-sse2.exe
4884	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2096	4364	batexe.exe	83
PID 4364 wrote to memory of 2096	4364	batexe.exe	83
PID 4364 wrote to memory of 2096	4364	batexe.exe	83
PID 2096 wrote to memory of 1740	2096	b2e.exe	84
PID 2096 wrote to memory of 1740	2096	b2e.exe	84
PID 2096 wrote to memory of 1740	2096	b2e.exe	84
PID 1740 wrote to memory of 4884	1740	cmd.exe	87
PID 1740 wrote to memory of 4884	1740	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B239.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe

Filesize
2.1MB

MD5
9b436effab865f45e31ec8c80d1d566b

SHA1
33f1e6a8dde975eb2c19a1f580a74fe53f568e18

SHA256
a4a96e0f897f7cb9e20a5e1bfd072bbeb53aee4751589970b35f6d840afa6a44

SHA512
5773324ce203b9920d214e504ac0959148c5dd30e0469f1ffbdeae3308994d831d717af0392e6a539d0872b931207126f892e00eb5342cead90cdd523b6f8350

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe

Filesize
2.3MB

MD5
758c3e5fbbbcc0e37e47add95322abf5

SHA1
bfcda07ecbe7a881e3eb13ef2a7acc8b77e1c73e

SHA256
c06cc71433bab21b17d9647aafd4686b227efbe821944c0fb725e7fe63c83a4e

SHA512
6359b43d29ef83f934fd2d5e5f53c4f87b33a15249a51fe3a3691ad447ed7f1ace3bf7d5b4feea60df8c6fd78c2147bc70a1686070e200ce0eb87fda9240e18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB82.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\B239.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
c9edc16741c66eac51990c3950fd7282

SHA1
75d0cf626a716281e8c2ae846f83a74de5bf384b

SHA256
a2ba8fda3adb7193a47e93589e4492529b5a7d1ac82feaa6a2859272866dce51

SHA512
c867ae54b1895e2e450d0761f57363725306fbd6986c00971b159175a3b3b654fe491f5ebe90acb07237d1bfe1511e61d436994ae27a8dd068f3dc54e44e6d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
566KB

MD5
ae94b7559614ba37d5934ae96cf14ccf

SHA1
53f1849b393d19a56d33f1b013fd02deec0228ae

SHA256
9f574cc961dda88ec7d50cd34c054c665341bc3135af22c2919052be8c02352f

SHA512
3a1a66ebece9cc60b39f10402c0004363832e7b087015b639ec0d102fd0f0c784f23f97e8c19a107097d26e4ac21af899f0816a8e4fa943d459d7e5a711d4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
284KB

MD5
b24cc97f669c56b6b99b8a9353a243fc

SHA1
903292466378b50d4a9fdc7d83c7f24d10fa3570

SHA256
eac754ab8e13145608c59c81a4b46092f0ab8a6f505c2d0854ef5a4ec39d1590

SHA512
d059546bd8269d27c068828609618001aab64d5c534f65ec18cade0b36d84a6e2aac49c31046ca9bdcc22c7ad79fd9fda380f79ec3549c0840443a9fd492ea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
616KB

MD5
f09bc916afd01e05d5c3e412541c4fc6

SHA1
93b5d65974762647517f8c4d0b4f73e823569dd2

SHA256
dd95170cb6f5a4fc305e9f28a6ca4a33a5340884b4ffa9a94a29fcb47b7e36b7

SHA512
df994a94b165875b96d6dbceb7f6056dcaac94ee995a050858e73204097e0fcffce1cde1804a9daf8b2a1fff7400b7b3b32a26dfec8c0621ba217e3f248a5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
321KB

MD5
d3a825d26c97c931050edb6e12c689b0

SHA1
429b895384db4a31dddbf181a4385029ecc5fe44

SHA256
cbd401350df238e6007681e4eb4d7869376ee143ea41119df8730b4ec1c9886e

SHA512
39b026dae0fcd390710bbb7a12360b0a16b42069cf7b5984582a0d30b7804ab233811b5e9589e9c921ec927ad3fbd7d92a1a5bcf7b839fa1facd3c5288624c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
354KB

MD5
d0ae9bfcaca71660d398377c25c92cab

SHA1
4a47b297f0f37864aca336c16c28d5bd71ca4f96

SHA256
7263130d898b003f69fe221fa533b679772859d5aa5e20d2f88cce8d99008959

SHA512
ab4673a60b53de6e884bcb024697d15c248adb97416bbc6e6237696281b37b48d9dc762900f458e9fb27c5a622868aecfc635954d62484e9ad5094aa6d3eb67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
339KB

MD5
476f4218c69f18955b6fff38e63e271f

SHA1
0511fa2f3ae80335fc27e3e53c4ab70e5922a75f

SHA256
22f02351ef070556c4f9c4b9133b4053e81ba9301645e47840fbe6372ea7cf13

SHA512
4f4f572c991990d61cfcdb7b47a5cd14f7e13f2f20f56f52c7587ec5cd0c86731b4a490a1f0ff8839beb109d217fe35f7b435de4534705436c7c89a16aef04d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
f942a34db61ded1d2db6b40a92e88cc5

SHA1
94218290e8e7a7da7d4dcda86e0fdd680ce8595e

SHA256
ab0599f9470d9405120ce79c46c6f935db0e096b3c007ed1a116dddb8148ddaf

SHA512
76e322be00a3e60fc095f146f2fb47a886d9431bcd24002ab547276cd68890afd56d4f0fb8d0736cf0117d141f1661fbbd2711554a22a3e73bffae6f8101aac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
1004ddf7179cc09e5be9ef721fa2fe81

SHA1
91417987e90f961e5ca489383a20636345c96dd5

SHA256
cf757951f36b4b33d379fc12103ba6928e279ed1e05202c436e75d4ae6ecb426

SHA512
f3b0b763e95abce9a0eb7d5faa2b9fdada2eb50a5cbf9dda2e5dbd3261473a7243d9869932125413e220ab3f4e214083358a0d503ed71da021c689e87042fc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
351KB

MD5
947ccc7ceed37ecc84546d3086e5c326

SHA1
b76858f4e31bd33b7eb89c976a1d286a30bafa51

SHA256
c5fac3aa672fd016fc8fc6d59b811d4b4eab1e12290dc954f0d17731ed793c50

SHA512
57815e2a0c878bacb5353a9e89ec419dc07486f9944d283a6a876b4921b99e13b91e6c9ee8aba52a8e5cdacd8e32092c426bf61e02ff93f6564db038e6e7df78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
442KB

MD5
e9795d28757ddf62aaca50f14ad11e1f

SHA1
4a8072d8ec5fee2a6dabde00990e755082ec3f31

SHA256
1e145ae028ea3251e0cb85923e3aad7480b13ca76ac5000f8bc7ee9f11082aa3

SHA512
1d0619c78e7d2d63fb3b3ef954a8de45b244d1beb29099fd389c096f239688de8f619a65bf9e87dc2a998565b858855a9bdfe853be5cf30582ede95214343555

Download Submit
memory/2096-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2096-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4364-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4884-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4884-46-0x00000000758A0000-0x0000000075938000-memory.dmp

Filesize
608KB

Download
memory/4884-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4884-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4884-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4884-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download